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ABSTRACT 

The use of deductive techniques, such as theorem provers, 
has several advantages in safety verification of hybrid sys¬ 
tems; however, state-of-the-art theorem provers require ex¬ 
tensive manual intervention. Furthermore, there is often a 
gap between the type of assistance that a theorem prover 
requires to make progress on a proof task and the assis¬ 
tance that a system designer is able to provide. This paper 
presents an extension to KeYmaera, a deductive verification 
tool for differential dynamic logic; the new technique allows 
local reasoning using system designer intuition about per¬ 
formance within particular modes as part of a proof task. 
Our approach allows the theorem prover to leverage for¬ 
ward invariants, discovered using numerical techniques, as 
part of a proof of safety. We introduce a new inference rule 
into the proof calculus of KeYmaera, the forward invariant 
cut rule , and we present a methodology to discover useful 
forward invariants, which are then used with the new cut 
rule to complete verification tasks. We demonstrate how 
our new approach can be used to complete verification tasks 
that lie out of the reach of existing deductive approaches us¬ 
ing several examples, including one involving an automotive 
powertrain control system. 
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1. INTRODUCTION 

Modern physical systems such as automobile engines, avion¬ 
ics, and medical devices are controlled by software running 
on embedded computing platforms. In the software domain, 
techniques such as model checking, theorem proving, and ab¬ 
stract interpretation have had success verifying purely soft¬ 
ware systems. For physical systems, techniques from dynam¬ 
ical systems theory and control theory such as Lyapunov 
analysis have long been used to help characterize system 
performance. Most cyberphysical systems, however, are hy¬ 
brid , i.e., have both continuous state evolution governed by 
differential equations and discrete mode transitions. Most 
interesting analyses for such systems (e.g., reachable set esti¬ 
mation) are undecidable [IT], and most software verification 
techniques are not directly applicable. 

Many extant approaches to hybrid system verification fo¬ 
cus on creating an overapproximation of the set of system 


states reachable over a fixed time horizon m m □! 0. 
While these approaches enjoy a high degree of automation, 
they are restricted in scope and scalability. Tools such as 
SpaceEx [10] and Flow* m are susceptible to approxima¬ 
tion error that worsens when the reachable set estimation 
over continuous state-space interacts with discrete switch¬ 
ing, leading to false positives. The theorem prover PVS 
has been used to reason about hybrid systems as compos- 
able hybrid automata in m ra- However, the continuous 
components are modeled by the explicit solutions of the dif¬ 
ferential equations. Explicit solutions can only be obtained 
for restricted classes of differential equations, e.g. linear. 
On the other hand, AC allows reasoning about continuous 
dynamics by using only the differential equations. 

An alternative approach is to employ deductive techniques 
that attempt to construct a symbolic proof of safety us¬ 
ing a semi-interactive theorem prover m- This approach 
has several advantages in safety verification of hybrid sys¬ 
tems. Unlike explicit reach-set computation techniques, the¬ 
orem provers can handle nonlinear dynamics directly, with¬ 
out introducing approximation artifacts. Further, theorem 
provers can handle proof tasks that involve symbolic param¬ 
eters, with only the minimal constraints required to guaran¬ 
tee safety. This makes the verification result reusable across 
systems with parameter variations. In the context of dy¬ 
namical or hybrid systems verification, a human may pro¬ 
vide insight to the theorem proving tool in the form of a 
safety certificate, i.e., a symbolic expression representing a 
set containing all reachable states from a given initial set, 
while excluding unsafe states 0(23]. The tool can then use 
this certificate to automatically prove system safety. 

In [25], the authors propose an approach that begins with 
a global candidate certificate (in the form of a differential 
invariant) that overapproximates the reachable set of states. 
Constraints are iteratively added until the overapproxima¬ 
tion is small enough to exclude the unsafe set, at which point 
the invariant becomes a safety certificate. This approach has 
had success in verifying aircraft roundabout maneuvers us¬ 
ing the KeYmaera theorem prover. The notable aspects of 
this approach are: the initial input is in the form of a global 
certificate of system safety, which is eagerly constructed and 
then (globally) refined. 

Cyberphysical system designs have distinct modes of oper¬ 
ation, with each mode corresponding to an (often) indepen¬ 
dently designed controller operating regime. Consequently, 


a designer has much more nuanced information about mode- 
specific behaviors rather than overarching knowledge about 
the entire system. The central thesis of this paper is that 
when available, such additional information can be useful 
for a theorem prover compared to a technique relying on 
construction of a global safety certificate. Our approach en¬ 
courages local reasoning and lazy construction of certificates. 

As an example of augmented local information, consider 
the scenario where a designer knows that from a given set 
of modes, there are no discrete transitions to unsafe system 
modes. This is a form of local certificate; in this case derived 
purely by reasoning over the finite transition structure of 
the discrete modes. Also consider the designer insight that 
a system is expected to be stable in a certain mode. This 
is another form of local information that makes it possible 
to employ Lyapunov analysis-based techniques to obtain a 
forward invariant set or barrier certificate that provides a 
local certificate for that mode. 

To support local reasoning, we introduce a new proof rule 
that we call the forward invariant cut rule in the calculus of 
KeYmaera. Given a region of operation and a safe forward 
invariant for the behaviors of that mode, the forward invari¬ 
ant cut rule allows us to decompose the overall global safety 
proof into three proof obligations: (1) a proof of invariance of 
the proposed certificate, (2) a proof that the certificate guar¬ 
antees safety, and (3) a proof of safety of everything but the 
behaviors associated with the region covered by the certifi¬ 
cate. This makes it possible to carve out safe behavior and 
focus analysis only on the remaining part of the system. An 
advantage of the decompositional approach is that it allows 
us to defer the process of producing a local certificate until 
we reach the relevant sub-goal in the safety proof. In other 
words, it allows lazy construction of safe forward invariants, 
which is convenient as certificates for system components 
are often easier to obtain than certificates for the aggregate 
system. 

We demonstrate how our methodology can be used to 
complete verification tasks that lie out of the reach of ex¬ 
isting deductive techniques. The systems we consider are 
hybrid and contain examples with continuous dynamical be¬ 
haviors that are described by nonlinear ordinary differential 
equations (ODEs). Deductive approaches exist for address¬ 
ing this class of systems, but the existing frameworks alone 
are insufficient to complete the proof tasks for the exam¬ 
ples herein. For example, the framework in [25] provides a 
means to address the examples we present using differen¬ 
tial invariants, but the authors provide no general method 
of computing the required differential invariant candidates. 
Further, their technique requires reasoning about the global 
behavior of the system, as opposed to the local invariant 
property that we require (a much weaker requirement). The 
deductive proof system presented in [8] uses local safety cer¬ 
tificates to reason about behaviors but applies to continuous 
(as opposed to hybrid) systems. Also, [8] provides no con¬ 
structive means of generating the necessary local safety cer¬ 
tificates. This is in contrast to our approach, which provides 
methodologies for generating the local safety certificates and 
including them in the proof task. 

We present three examples that demonstrate the practi¬ 
cal application of the forward invariant cut rule. The first 
hybrid system is a hybrid system with three stable modes 
and one fail mode. The second system is a non-autonomous 
switched system, in which a user has the freedom to switch 


modes at arbitrary instants. The third system is a simpli¬ 
fied model of an automotive subsystem that is responsible 
for maintaining the air-to-fuel (A/F) ratio in an engine near 
an optimal setpoint. In the automotive context, this is one 
of the most important control problems with significant im¬ 
plications on fuel efficiency and exhaust gas emissions. We 
are able to prove that the A/F ratio remains within 10% of 
the optimal setpoint value using KeYmaera. 

The paper is organized as follows. In Sec. [2] we introduce 
the terminology and review material on hybrid programs 
(the syntactic form used by KeYmaera to express hybrid 
systems). We introduce the forward invariant cut rule in 
Sec. [3] and in Sec. [4] we describe techniques for obtaining 
local certificates. We show how the forward invariant cut 
rule can be applied to specific case studies in Sec. [5] Finally, 
we conclude and discuss related and future work in Sec. |6] 

2. HYBRID SYSTEMS AND HYBRID PRO¬ 
GRAMS 

A hybrid system is a dynamical system with continuous¬ 
valued state variables x that take values from a domain X C 
R" and a discrete-valued state variable q taken from a finite 
set Q. The system evolves in continuous or discrete time, 
and the configuration of a hybrid system at time t can be 
described by the values of its continuous and discrete state 
variables. The discrete-valued states are called modes of 
operation. The hybrid state is given by the ordered pair 
(x, q) £ X x Q. In a discrete mode q, the evolution of the 
continuous-valued state variables is described by ordinary 
differential equations (ODEs) 

x(t) =/ 9 (x(t)), (1) 

where f q is a function from X to A', often called the vec¬ 
tor field. Though hybrid systems are often described with 
external inputs, in this paper we consider only autonomous 
systems , i.e., systems in which all transitions depend only 
on the system states. The state-dependent conditions that 
allow the system to transition from one discrete state to 
another (possibly same) discrete state are called guards. 

Hybrid systems are often modeled using hybrid automata. 
We use Fig. [T] as a running example. This example has four 
modes and two continuous-valued state variables, with asso¬ 
ciated ODEs. Modes are represented by nodes in the graph; 
each mode q has associated a unique set of ODEs ( f q ). There 
is a guard on the outgoing transition from qo to qi , and the 
transition from qo to <72 is unguarded, so it can always be 
taken. The transition from qo to 52 has a nondeterministic 
reset allowing a jump from current state values x\ and X 2 
to any pair of values within the circle of radius two. The 
set of feasible initial conditions is indicated on the default 
transition. Mode qo and <72 have stable linear dynamics, and 
q\ has stable nonlinear dynamics, as in Example 4.10 of [El- 

While hybrid automata are a convenient formalism, in this 
paper we use the formalism of hybrid programs in order to 
facilitate the use of the KeYmaera theorem prover, which 
is the workhorse for our deductive approach. Note that any 
hybrid automaton can be transformed into a hybrid program 
[23] , therefore there is no loss of generality in considering hy¬ 
brid programs. KeYmaera uses the formalism of differential 
dynamic logic, denoted by d£ 0 

1 T he syntax and semantics of d£ are described in detail in 
[23] ; we provide only a minimal overview here. 




Figure 1: A running example: All the modes have stable continuous dynamics, and there is a special “fail” 
mode. 


2.1 The logic d£ 

A hybrid program is specified by the grammar 

a, f5 :: = x'■= 9 \ x'■= * \ {x[ = 9i,..., x' n = 9 n &zH} (2) 
\1H | aU/3 | a;/3 | a (3) 

where a, f) are hybrid programs, 9, 9 \,..., 6 n are terms, and 
H is a logical formula. Intuitively, the program x ■= 9 means 
that x is assigned the value of the term 9. The program 
x ■= * means that x is nondeterministically assigned an ar¬ 
bitrary real value. The program {a;i = 9i,... ,x' n = 9 n &iH} 
means that the variables xi ,..., x„ evolve continuously for 
some duration, with derivatives 9i,...,9 n , subject to the 
constraint that xi ,... ,x n satisfy H during the entire flow. 
The hybrid program ?H behaves as a skip if the logical for¬ 
mula H is true, and as an abort otherwise. 

The nondeterministic choice a U /3 means that either a or 
P may be executed. The sequential composition a; fd means 
that a is executed, then /3. The nondeterministic repetition 
a* means that a is executed an arbitrary (possibly zero) 
number of times. The logic d£ itself is a multimodal logic, 
in which the modalities are annotated with hybrid programs. 
The formulas of d£ are described by the grammar: 

::= 9\ = 92 \ 9\ > 92 \ <j> \ (j> A ip (4) 

| <j>Vip\<j>->ip\ [a\<j> | (a) cj> (5) 

where <j>, if) are formulas of AC , 6fi, #2 are terms, and a is a 
hybrid program. The box modality [a]<f> means that <£> holds 
after all traces of the hybrid program a, and (a) 4> means 
that <f> holds after some execution of hybrid program a. 

In the sequel, we will abuse notation and use a formula 
interchangeably with the set that it represents. 

2.2 Example 

Model Q] shows a hybrid program representation of the 
running example. Line [5] shows how the subprograms are 
assembled into the overall program. The system starts at a 
set / (Line [jTJ, and at each iteration of the loop, one of the 
subprograms is nondeterministically chosen for attempted 
execution. If the guard of the subprogram succeeds, execu¬ 
tion proceeds. The verification task is to show that when 
this loop is executed any (finite) number of times, the state 
remains in the set S (Line 1 1611 . Line 0] is the guard and 
differential equations of qo. Line [5] is the transition from qo 
to qi and the required guard. Line [7] proceeds to specify 
the continuous evolution of qi. Line [9] applies the reset of 


the transition into q 2 , which indicates that the state resets 
anywhere in the circle of radius two. Line [TO] checks the 
incoming guard to q 2 and Line QT] specifies the associated 
differential equations. Line [T3] specifies the guard that al¬ 
lows transitions into the failure mode. Note that the guard 
does not check the current mode, since all of the modes may 
transition into the failure mode if the continuous states leave 
their prescribed bounds. Line[T2]specifies that once the fail¬ 
ure mode is entered, it is not possible to leave it, and states 
a;i,a ;2 maintain their previous values and do not evolve. 


Model 1: Hybrid program for the running example 

1 

Ex 

= I —> [(mo U so>->i UmiU so>-> 2 U m 2 

2 



3 

/ 

= x\ + xi < 10 A M = qo 

4 

mo 

= ?(M = q 0 ); {z'i = — xi,x' 2 = -X2} 

5 

S0i->1 

= ?(M = q 0 ); 7(x\ +x% < 1); (M := qi); 

6 

mi 

S ?(M = qi); 

7 


{x\ = —(X2 + 1) * Xl, xL = X?} 

8 

S0i->2 

Ill 

•-0 

is: 

11 

-Q 

O 

9 


Xi := *; X2 ■= *; 7(xf + x% < 4); (M := q2 ) 

10 

m2 

S ?(Af = q 2 ); 

11 


1 x j = —3xi + 13x2, x’ 2 = —5xi — X 2 } 

12 

s {0,l,2}h->/aiZ 

= ?(— 10 > xi V xi > 10 

13 


V — 10 > X 2 V X 2 > 10); 

14 


M := fail 

15 

m /aiZ 

= ?(M = fail)-, 

16 

s 

= M + fail 


3. SAFETY VERIFICATION WITH THE FOR¬ 
WARD INVARIANT CUT RULE 

3.1 The safety verification problem 

The safety verification problem is to decide whether the 
state of a system is always contained within a given safe set 
when starting from a designated initial set, or equivalently, 
whether none of the behaviors enter an unsafe set. 

To formalize this problem in AC , suppose a is a hybrid 
program representation of the system of interest. Suppose 
S is the safe set and I is the set of initial states. Then the 
behaviors of a are contained in S if the following formula is 
a theorem of d£ . 

I -»• [a*]S. 

The theorem prover KeYmaera can be used to attempt to 
prove this. 












To solve this problem, one might construct a set that con¬ 
tains all of the system behaviors from the initial set and is 
contained in the safe set. We call such a set a safety cer¬ 
tificate. A safety certificate must contain the initial state 
set, exclude the unsafe set, and be invariant for system be¬ 
haviors. We say that a set is initialized if it includes the 
initial set, safe if it excludes the unsafe set, and invariant if 
whenever a system behavior enters it, the behavior remains 
in the set for all future time. Arguments with safety cer¬ 
tificates are captured in d/1 using the invariant proof rule, 
where C is a safety certificate: 

I C C -*• [ a}C C -+S 
I ->■ [a*]S 

The general task of finding a safety certificate is difficult. In 
this work, we propose instead a procedure that incremen¬ 
tally works towards a proof. Instead of a safety certificate, 
we use knowledge of system structure to propose sets that 
are invariant and safe, but not necessarily initialized, and 
leverage them in the proof procedure. 

In our running example, modes qi and have stable dy¬ 
namics. If a Lyapunov function can be computed for ei¬ 
ther of these modes, its sublevel sets (i.e., sets of the form 
{x | V(x ) < £}, for some £ > 0) will be invariant. The sub- 
level sets will be safe if they exclude the transition to the 
fail mode, but they will not be initialized, since they do not 
contain mode zero. 

3.2 The forward invariant cut rule 

A cut in a logical proof allows introducing a lemma. The 
main contribution of this paper is a type of cut that sim¬ 
plifies the proof procedure by leveraging knowledge of local 
invariance properties. 

The following theorem establishes that if it can be shown 
that a predicate ( C ) is locally invariant (C —>■ \a\C) and 
safe (C —► S), then the remaining conditions (-1 C) can be 
separately addressed to prove safety. 

Theorem 1 (Forward Invariant Cut Rule). The following 
is a sound inference rule for the logic dC. 

I A ->C —[(a; ?-.C)*]S C -»• [a]C C -4 S 

I -4 [a*]S ( } 

Proof. We first provide a sketch in natural language. Let 
uo,ui,... ,u„ be any sequence of states of any length that 
are connected by runs of the hybrid program a. 

Case a: Suppose that none of the states in this sequence 
satisfy C. Then this sequence is a run of the hybrid program 
(a; ?-iC)*, and is safe by the first premise. 

Case b: On the other hand, suppose Vi £ C for some 
0 < i < n. Then the subsequence Vi, ... ,u n is a run of the 
program a starting from C. Then from the second and third 
premises of the rule, Uj £ C C S for all j > i. Note that the 
subsequence ui, ..., Vi-\ is a run of program a* such that no 
state satisfies C, and is therefore safe by the previous case. 

The formal proof follows. Fix an interpretation I and 
an assignment r /. From semantics of the second premise, 
if v £ C and (v,lo) £ pi, 77(a), then w £ C. From the 
semantics of the third premise, if uo £ C, then to £ S. From 
the semantics of the first premise, if u £ I and v C, 
and to is such that (u, uj) £ pi,,,((a; ?-iC)*), then a; £ S'. 
This is equivalent to saying that for any uo such that there 
is a sequence of states uo, ... ,u n , with uo = v £ I A ->C 


and u n = uj, n £ N, and (ui,Ui + 1 ) £ pi,,,(a; ?-iC) for each 
0 < i < n — 1, it is the case that w £ S. 

The proof is to show by induction that any state reachable 
by a* from 7 in n > 0 executions of a must be contained 
in S. For the base case, let n = 0. Then given v £ 7, the 
only reachable state by a sequence of length zero is v itself. 
If v £ C, then 1 / £ S by semantics of the third premise. If 
u C, we have that (u, u) £ pz, 7J ((a; ?-iC)*) by a chain of 
length zero, so that by semantics of the first premise, u £ S. 

As an inductive hypothesis, suppose that for every uo reach¬ 
able by a chain of length n, uo £ S (i.e., there exists uo,... ,u n 
with uq = v and uo = u n such that (ui,Ui+i) £ pi. v {a), for 
0 < i < n — 1. Now choose any state £ such that there is a 
chain of length n+1 , uo, ..., u n + 1 with uo = u and v n +i = £, 
such that (Vi , Vi+i) £ pi,^(a), for 0 < i < n). 

First suppose that u n £ C. Then by semantics of the 
second premise, rVi+i £ C, and then v n +i £ S' by semantics 
of the third premise. On the other hand, suppose u„ C. 
We claim that for all j < n, Uj ^ C . To see this, note that 
if Uj £ C for some j < n, then u n £ C by semantics of 
the second premise, which would contradict our assumption 
on u n . Then we have that (ui,Ui+ 1 ) £ px }V (a;?-<C) for all 
0 < i < n. By semantics of the first premise, it follows that 
£ £ S. This establishes the theorem. □ 


3.3 Example 

For the running example, mode qi has a Lyapunov func¬ 
tion of the form Vi (aq, 12 ) = \x\ + \(x 2 — 2) 2 as described 
in Example 4.10 of [19] (we discuss Lyapunov functions as 
sources of invariants in Section[4]). The sublevel set Vi ( 11 , 12 ) < 
5 contains the reset into mode q\ . We apply the forward in¬ 
variant cut rule with C\ = Vi( 11 , 12 ) < 5 A M = Mi, 
a set that is invariant and safe, but not initialized since it 
does not contain the initial mode qo of the hybrid system. 
The rule application causes the proof tree to split into three 
branches. The first branch requires showing that whenever 
the system begins in C 1 , it remains in C\. The only por¬ 
tions of the model that may run in this case correspond to 
qi and the transition into the fail mode (programs mi and 
so, 1 , 2 ^faii- KeYmaera can readily check that since the pro¬ 
posed sublevel set excludes the guard into fail, C 1 will in 
fact be satisfied by the end of each system trace. The sec¬ 
ond branch of the proof tree requires showing C —> S. which 
is trivial, since S is simply M ^ Mf a u and C stipulates 
M = M\. We now turn our attention to the third branch. 

Mode q2 has a Lyapunov function V(xi, X2) = “2x\ +4i|, 
computed using standard Lyapunov techniques for linear 
systems. The sublevel set V 2 (* 1 , 2 : 2 ) < 16 contains the cir¬ 
cle of radius 2; all incoming transitions to mode <72 make 
the system state to be reset to somewhere within this circle. 

By applying a forward invariant cut with C 2 = V 2 ( 11 , * 2 ) < 

16 A M = M 2 , we again get three branches. As before, 

C 2 is invariant because the only portions of the model that 
may run from C 2 are the programs m 2 and so,i, 2 i-»/a«. Since 
V 2 (* 1 , 2 : 2 ) < 16 excludes the guard to fail, KeYmaera can 
show that C 2 represents a safe set. The next branch is to 
prove that C 2 implies safety, which is easy because C 2 re¬ 
quires M = M 2 , which implies M ^ Mf a u. 

The third branch can now be easily proved with the stan¬ 
dard tools of KeYmaera, using the loop invariant M = 

M 0 A x\ + xl< 10. 




4. OBTAINING SAFE FORWARD INVARI¬ 
ANTS 

This section describes various techniques to generate safe 
forward invariants, which are invariant sets that are safe but 
not necessarily initialized. Let x(f) denote any solution tra¬ 
jectory for a given (hybrid) dynamical system. A set S is 
forward invariant if for all x(0) £ S, for all t, x(t) £ S. The 
general problem of identifying safe forward invariant sets 
that are useful is hard, but the techniques that we present 
can, in some cases, automatically identify safe forward in¬ 
variant sets that can be used to complete safety proofs. 

4.1 Safe forward invariants based on Lyapunov 
analysis 

Lyapunov analysis provides one way to construct forward 
invariant sets for hybrid systems. We briefly review the 
basics of Lyapunov analysis to aid our presentation. Lya¬ 
punov’s direct method is a well-known method used to prove 
stability of dynamical systems within a region of interest. 
In this method, the user provides a local Lyapunov function 
V : X —> R that over the domain of interest X satisfies the 
following properties: 

1. Positive definiteness: for all x in X, 

F(x) > 0, (7) 

and V (0) = 0; 

2. Derivative negative semidefiniteness: for all x in X, 

F(x) = |v(x) < 0, (8) 

and V (0) = 0. 

Existing techniques from dynamical systems theory use 
sum-of-squares optimization [22] and semidefinite program¬ 
ming mm to identify Lyapunov functions m for systems 
described by polynomial differential equations. A Lyapunov 
function V is analogous to a ranking function for a discrete 
system, and it maps each continuous state x to a positive 
real number, with the property that along any system tra¬ 
jectory the quantity V(x) monotonically decreases until it 
reaches 0 at the equilibrium point. It is well-known that the 
sublevel set of a Lyapunov function, Si = {x|V(x) < £} is a 
forward invariant set, i.e., given any initial condition in Sc, 
all future states remain in Se. Thus, any sublevel set of a 
Lyapunov function that includes the initial set and excludes 
the unsafe set serves as a safety certificate [16l [26] . 

Remark: It is well known that for stable linear systems, a 
quadratic Lyapunov function of the form V = x T Px, where 
P is a positive definite matrix, always exists and can be 
computed by solving the matrix equation 

A t P + PA = -Q (9) 

where Q is a positive definite matrix. Several scientific com¬ 
puting tools have built-in commands to solve this equation, 
such as lyap in MATLABand LyapunovSolve in Mathemat- 
ica. 

We now show how we can use Lyapunov-like functions to 
construct local certificates. 

Barrier Certificates. In the hybrid systems community, 
barrier certificates have been proposed as a Lyapunov-like 
analysis technique to prove that starting from an initial set 


of states A'o, no system trajectory ever enters an unsafe set 
U 126112711281 . The main step is to identify a barrier function 
B from the domain X to R, with the following properties: 


Vx £ X 0 : B(x) < 0 

(10) 

Vx £ U : -B(x) > 0 

(11) 

Vx £ X s.t.B(x) = 0 : (x) < 0. 

(12) 


Given a local Lyapunov function V valid in the domain X, 
if an l can be selected such that 03 and m are satisfied, 
then -B(x) = V(x) — l is a barrier certificate. This follows 
from the definition of barrier certificates and the Lyapunov 
conditions 0 and 0. 

Discovering Barrier Certificates. To discover barrier 
certificates, we employ a modification of a technique from 
l29l . which uses concrete system executions to generate a se¬ 
ries of candidate Lyapunov functions. Our technique, which 
is based on na. uses concrete executions to generate a set of 
linear constraints. A candidate Lyapunov function is then 
generated by solving a linear program (LP) associated with 
the constraints. A series of candidates is iteratively im¬ 
proved upon, using a global optimizer to search the region 
of interest for executions that violate the condition 0 for 
the given candidate. The search is guided by a cost function 
that is based on the Lie derivative of the candidate Lyapunov 
function; if this cost function can be minimized below 0, then 
the minimizing argument provides a witness (which we call a 
counterexample) showing the candidate Lyapunov function 
is invalid. Once such counterexamples are obtained, we in¬ 
clude the associated linear constraints in the LP problem 
and update the candidate Lyapunov function. The process 
terminates when the global optimizer is unable to find coun¬ 
terexamples to the candidate Lyapunov function. We then 
dehne the candidate barrier function B(x) = V(x) — l, where 
l is selected such that m and m are satisfied. 

Because there are no optimality guarantees from the global 
optimizer used to generate the candidate barrier function, 
the resulting candidate may not strictly satisfy the desired 
constraints. To check whether the candidates satisfy (E3 
through m, we rely on a satisfiability modulo theories 
(SMT) solver that can handle nonlinear theories over the 
reals. We use the dReal tool, which uses interval constraint 
propagation (ICP) [TTj. dReal supports various nonlinear el¬ 
ementary functions in the framework of (5-complete decision 
procedures, and returns “unsat” or “5-sat” for a given query, 
where 5 is a precision value specified by the user. When the 
answer is “unsat”, dReal produces a proof of unsatisfiability; 
when it returns “<5-SAT”, it gives an interval of size 5, which 
contains points that may possibly satisfy the query. 

When a “5-SAT” result is returned from a query to check 
03 through m, we do the following: 1.) construct a new 
linear constraint based on the interval returned, 2.) add 
the new constraint to the existing set of linear constraints, 
and 3.) re-solve the LP to obtain an updated (improved) 
Lyapunov function candidate. If this process terminates, 
then the result is a barrier certificate. 

Our technique attempts to use discovered barrier certifi¬ 
cates locally, that is, for each mode we attempt to construct 
a certificate that proves that the system will not leave the 
mode. If such a local barrier certificate is found, then the 
forward invariant cut rule can be applied to the mode to 



Figure 2: Hybrid automaton for the nonautonomous 
switched system. 


simplify the safety proof for the system, which may be com¬ 
posed of several modes. 

4.2 Other Techniques 

Bounded-time Invariant Certificates. Inspired by the 
success of reachability analysis using bounded model check¬ 
ing for verifying software systems, there has been significant 
research in estimating the reachable set of states for hy¬ 
brid and continuous-time dynamical systems. See m and 
references therein. A common theme among various ap¬ 
proaches is to compute a flowpipe, or an overapproximation 
of the reachable states over a bounded time horizon r. If 
the computed flowpipe does not intersect with the unsafe 
set, then it is safe, and it is invariant over bounded-time, 
as the initial states he within it as wells as the set of all 
future states reachable within a fixed time bound also he 
within it. The general form of a bounded-time invariant set 
is S re a C h = (U(x) < 0) A (ti < t < t u ), where J?(x) < 0 is 
some compact subset of the domain, and ( ti,t u ) is the time 
interval over which the set -R(x) < 0 is invariant. 

Discrete Transition-based Certificates. These certifi¬ 
cates are useful to prove unreachability of certain modes be¬ 
cause of the transition structure of an underlying hybrid au¬ 
tomaton. Standard techniques from automata theory such 
as identifying strongly connected components can be used 
to obtain such certificates. 


5. CASE STUDIES 

5.1 Non-autonomous Switched System 

Consider an open two-mode system, where an external 
input can cause the system to arbitrarily switch between the 
system modes. This example is significant, because neither 
of the two modes is invariant, so the proof cannot rely on 
cutting out entire modes. 

The continuous dynamics are defined by matrices A\ and 
A. 2 , as given below: 


-1.0 

4.0 

-0.25 

-1.0 

-1.0 

-0.25 

4.0 

-1.0 


Linear reset maps are applied to the state when a transition 
is made between Modes 1 and 2. The resets are defined by 
matrices R \2 and R 21 : 


Rl 2 


—0.0658 -0.0123 
0.1965 -0.0658 ’ 


R21 


—0.0658 0.1965 
-0.0123 -0.0658 


Model 2: A d£ model of the nonautonomous switched 
system 

1 

TSsl-> [(sUmi Um 2 )*]S 

2 

I = M = 1 A x? + x\ < 0.49 

3 

s = M:=lUM:=2 

4 

II 

O- 

III 

a 

5 

x\ := —0.0658a"! +0.1965x2; 

6 

X 2 '■= —0.0123x1 — 0.0658x2; 

7 

(x^ = —xi + 4x2, Xj = —(l/4)xi — X 2 } 

8 

m 2 = (?M = 2); 

9 

xi := —0.0658xi — 0.0123x2 

10 

X 2 := 0.1965xi — 0.0658x2 

11 

(x^ = —xi — ( 1 / 4 ) x 2 , x' 2 = 4xi — X 2 } 

12 

S = xi > —2 A xi < 2 A X 2 > —2 A X 2 < —2 


Figure [5] shows a hybrid automaton for the system, and 
Model [2] defines the corresponding hybrid program. For 
both modes, the continuous-time dynamics given by A\ and 
A 2 are stable and linear. It is well known that even for 
switched-mode systems with stable linear continuous dy¬ 
namics, switching conditions exists that lead to instability 
for the switched system [5l. We wish to prove that it is not 
possible to switch between Ai and A2 to create unstable be¬ 
havior. The safety property for this system is that it should 
remain within HxHoo < 2.0. We apply the forward invari¬ 
ant cut rule to the example to successfully prove the safety 
property. Below, we describe the steps of the proof. 

Here, the designer provided two forward invariants of the 
system by independently solving the Lyapunov equation © 
for the linear dynamics of the system in each of the modes. 
The designer then picked level set sizes to ensure that the 
resulting forward invariant is contained within the safe set 
S. The invariants are given below: 

Ci = {x | Vi(x) < h} (13) 

C 2 = {x | V 2 (x) < l 2 } (14) 

Here, Li(x) = 0.3828a:? + 0.9375x12:2 +2.3750*?, and h = 
1.0, and V 2 (x) = 2.3750a;? + 0.93752+2:2 + 0.3828a;?, and 
h = 1 . 0 . 

We sequentially apply two forward invariant cuts in order 
to prove Model [2] safe. The first forward invariant cut rule 
uses the set Ci as the cut. After applying Ci, the proof tree 
has three branches: I A - 1 C 1 —> [(q; ?-iCi)*]S', Ci —> [a]Ci, 
and Ci —» S. Of these, the third branch is trivially true as 
Ci C S. To prove the second branch valid, KeYmaera needs 
to prove that Ci is invariant for the disjuncts. 

For the hybrid program mi, KeYmaera computes the for¬ 
ward image of the set Ci when transformed by the linear 
transformation R21, i.e., the set F = {y | y = -R 21 X: A 
Vi(x) < / 1 }. Note that this step requires performing quan¬ 
tifier elimination, and KeYmaera utilizes Mathematica for 
this purpose. It then uses Ci as a differential invariant to 
prove that F —¥ [{x' = Aix}]Ci. This is facilitated by 
the fact that Ci is in fact invariant for the linear system 
x = Aix. 

The difficult branch is the one requiring us to prove that 
Ci is invariant for mode m 2 . To do so, we assist KeYmaera 
with certain lemmas; the intuition for these lemmas is as 
follows: Any state in set Ci upon executing the program m 2 
is linearly transformed by R12. Let Ci = (x | x £ Ci A x = 
i?i 2 x} represent the forward image of Ci under Ri2- Next, 
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Figure 3: Illustration of forward invariant sets for 
Example 15.11 


we show that the set Ci is a subset of a specific sublevel set 
C 2 of 14 (x). As C| is a sublevel set of 14 (x), it is invariant 
under the dynamics x = A 2 X; thus, any state beginning 
in C 2 will remain in C|. Finally, we choose C| in such a 
way that C| C Ci. This essentially proves that any state 
starting in the set Cl will be contained in set Cl, of which 
any state will under the dynamics x = A 2 x remain in the 
set C|, i.e., in the state Ci. 


Formally, we establish the following: 


Ci —> [x := I?i 2 x]Ci 

(15) 

Ci C C 2 * 

(16) 

C 2 —t [{x = A 2 x}]C 2 

(17) 

C 2 * C Ci 

(18) 


We can combine these to infer that Ci —> [m 2 ]Ci. 

Finally, the first branch of the proof considers /A-iCi; this 
contains the set of initial states not in C 1 . These can now 
be addressed by the second forward invariant cut (set C 2 ) 
following a symmetric argument as above. After applying 
the second cut C 2 , the first branch has an empty antecedent 
(I A - 1 C 1 A - 1 C 2 is empty), i.e., the proof has accounted for 
all initial states, which closes the proof. The sets we have 
discussed are shown in Figure [3] 

5.2 Engine fuel control 

Model. Our second case study is a hybrid system represent¬ 
ing an automotive fuel control application. Environmental 
concerns and government legislation require that the fuel 
economy be maximized and the exhaust gas emissions (e.g., 
hydrocarbons, carbon monoxide, and nitrogen oxides) be 
minimized. At the ideal air-to-fuel (A/F) ratio, also known 
as the stoichiometric value, both these quantities are op¬ 
timized. We present an automotive control system whose 
purpose is to accurately regulate the A/F ratio. 

The system dynamics and parameters were derived from 
a published model |T5] and then simplified, as in [T7j. The 
model consists of a simplified version of the physics of en¬ 


gine subsystems responsible for air intake and A/F ratio 
measurement, along with a computer control system tasked 
with regulating the A/F ratio. The objective of the con¬ 
troller is to maintain the A/F ratio within 10% of the nom¬ 
inal operating conditions. The experiment that we model 
involves an engine connected to a dynamometer - a device 
that can control the speed of the engine and measure the 
output torque. In our setting, the dynamometer maintains 
the engine at a constant rotational velocity. The controller 
has two modes of operation: (1) a recovery mode, which 
controls fuel in an open-loop manner, i.e., with only feedfor¬ 
ward control action, where the system runs for at most 8ms, 
and (2) a normal run mode, which uses feedback control to 
regulate the A/F ratio. 

The controller measures both the air flow through the air- 
intake manifold, which it uses to estimate the air pressure 
in the manifold, and the oxygen content of the exhaust gas, 
which it uses to compute the A/F ratio. The recovery mode 
represents the behavior of the controller when recovering 
from a sensor fault (e.g., aberrant sensor readings, environ¬ 
mental conditions that cause suspicion of the sensor read¬ 
ings). During the recovery mode, the controller has no ac¬ 
cess to oxygen sensor measurements and so must operate 
in a feedforward manner (i.e., using only the manifold air 
flow rate). The normal mode is the typical mode of opera¬ 
tion, where the oxygen sensor measurements are used to do 
feedback control. 

Model [3] is a hybrid program representing this system. 
The ODEs representing the continuous dynamics in each 
mode and the model parameters are presented in the Ap¬ 
pendix. The state variables p,r,p ea t, and i represent the 
manifold pressure, the ratio between actual air-fuel ratio 
and the stoichiometric value, the controller estimate of the 
manifold pressure, and the internal state of the PI controller; 
these variables have all been translated so that the equilib¬ 
rium point coincides with the origin. In the recovery mode, 
the continuous-time state x is the tuple (p, f,p es t, i, r). The 
additional state variable in the recovery mode represents the 
state of a timer that evolves according to the ODE f = 1. 
In the normal mode, the state is given by ( p,r,p ea t,i ). 

We assume the system is within 1.0% of the nominal value 
at the initialization of the recovery mode. This represents 
the case where the system was previously in a mode of oper¬ 
ation that accurately regulated the A/F ratio to the desired 
setpoint. A domain of interest for the state variables is given 
by | |x|| oo < 0.2. 

Safety proof using forward invariant cut. The verifica¬ 
tion goal is to ensure that in the given experimental setting, 
the system always remains within 10% of the nominal A/F 
ratio after a fixed recovery time of 0.8 ms has passed. In 
other words, we wish to show that the system begins in the 
recovery mode, with the initial set of continuous states de¬ 
fined by init = {x | ||x||oo < 0.01}; the system transitions 
to the normal mode after at most 8.0 ms; and the system 
never transitions to the unsafe set, where |r| > 0.1, within 
the domain of interest HxHoo < 0.2. 

In previous work m, the authors had established a for¬ 
ward invariant set for the normal mode of operation using a 
barrier certificate formulation. The authors formulated the 
barrier certificate using simulation-guided techniques to ob¬ 
tain a candidate Lyapunov function V and a number £ to 
propose a barrier function of the form B(x) = V(x) — l. 
Here, V’(x) = z T Pz, and z is a vector of all monomials of 











Model 3: A d£ model of a closed-loop fuel control sys¬ 
tem_ 

1 EFC = 

I -y [(mi U m 2 U sih- 12 u 2 }i-> fail ^ ail )*]s 

2 1 = (- 0.001 < p < 0 . 001 ) 

3 A (-0.001 < r < 0.001) A 

4 A (pest = 0Ai = 0AM = l) 

5 mi = (?M = recovery, ?r < 0.008; 

0 {3£i.3£ 2 .3£ 3 

7 (-0.86 < £1 < 0.74) 

s (—0.17 < £2 < 0.18) 

9 (-0.81 < £3 < 0 . 68 ) 

10 A (p' = £ 1 ) A (r' = £ 2 ) A (p(, s j = £ 3 ) A 

11 i’ = 0 & t' = 1 A r < 0.008} 

12 sit _>2 = (?M = recovery ; ?r > 0.008; 

13 M := normal ;) 

14 m 2 = (?M = normal ; 

is (p' = /p, 

10 r' = f r , 

17 Pest ~ fPest ’ 

18 i' — fi , 

19 & - 0.02 < p < 0.02 A - 0.02 < r < 0.02 

20 A - 0.02 < pest < 0.02 A - 0.02 < i < 0.02} 

21 s (?(r < -0.1 Vr> 0.1); 

22 M := fail) 

23 mfaii = (7(r < -0.1 Vr > 0.1); 

24 M := fail) 

25 S = M ^ fail 


degree < 2 of the state variables p, f , p es t and i. Note that 
z thus contains 14 monomials, and P is a 14x14 matrix. We 
omit the resulting P matrix for brevity. 

We use the set enclosed by the barrier function to formu¬ 
late the forward invariant cut 

C = (M = normal ) A (-B(x) < 0). (19) 

Application of the forward invariant cut inference rule J6]) , 
generates three proof obligations that KeYmaera has to dis¬ 
charge. 

Obligation 1. C —» [a\C 

Note that once we define C, the hybrid programs mi, si^ 
can be excised by KeYmaera, as both have the hybrid pro¬ 
gram ?M = recovery as their first item, which is inconsistent 
with C. Thus, KeYmaera can then focus on proving this 
obligation only for the programs m 2 , and m f a u. 

In order to discharge the obligation for the program m 2 , 
we first perform some trivial simplifications with KeYmaera 
that leaves us with the following proof goal: 

(.B(x) < 0) —> [{x' = f(x)&cH}](B(x) < 0) A (M = normal) 

( 20 ) 

To discharge poll. we can use the barrier certificate rule 
shown in m that we have added to KeYmaera’s proof cal¬ 
culus. 

init— >B(x) <0 B(n) = 0—§§-/(x) <0 -B(x)<0 —>safe 
init —> [{x r = f(x.)}]safe 

( 21 ) 

where H is the domain of evolution of the continuous dy¬ 
namics. In our application of the barrier certificate rule, 
we substitute init with (-B(x) < 0) and safe with (-B(x) < 
0) A(M = normal). The first and the third proof obligations 
in the barrier certificate rule are then trivially satisfied. For 


the remaining (middle) proof obligation KeYmaera uses the 
SMT solver dReal [TT] . In particular, it asks dReal if the 
query (B(x) = 0) A (f§ • /„ orm< u(x) > -e) is unsatisfiable, 
where e is a small positive number. 

In order to discharge the proof obligation for m 2 , S{i, 2 }^fa.u, 
KeYmaera needs to show that if -B(x) < 0 holds, either of 
these programs cannot invalidate C by transitioning to mode 
fail. It proves this by showing that the set B(x) < 0 is a 
subset of the safe set using dReal. 

Obligation 2. C — > S 

This obligation is trivial as S requires the mode to be fail, 
while C says that the mode is normal mode. 

Obligation 3. I A -<C —¥ [(a; ?->C)*]S 

To prove this obligation, we use the lemma that the set 
Cl is an invariant for all states remaining in / A -1 C . This 
is a bounded-time invariant certificate. 

Cl = (M ^ m f aii) A (0 < t < 0.008) A {x € S reach ) (22) 

Here S rea ch is an overapproximation of reachable sets by 
using upper and lower bounds on p and f computed using 
dReal. The proof for this branch continues using standard 
KeYmaera deduction procedures. There is one additional 
barrier certificate application to show that the normal mode, 
when starting from this set, lands within the barrier certifi¬ 
cate and therefore also respects this invariant. This requires 
a derivative negativity argument, which KeYmaera again 
handles via an external dReal query. 

6. RELATED WORK AND CONCLUSIONS 

Lazy abstraction. I 11 software verification using conser¬ 
vative abstractions, an abstract program can be viewed as 
a proof of program correctness if it satisfies the correctness 
property of interest. A popular paradigm is that of lazy 
abstraction IS], where the abstract program is not derived 
from a global set of predicates, but is an abstract model 
in which predicates change from state to state. Such an 
abstraction is obtained through the process of lazy refine¬ 
ment, where abstraction is done on-the-fly with a goal of 
eliminating local spurious counterexamples. While the ex¬ 
act mechanics of our technique are different, our technique 
also generates correctness proofs consisting of lazily gener¬ 
ated local invariants. 

Logical cuts. In classical logic, a cut serves the role of 
a lemma. In Gentzen’s sequent calculus m - the cut rule 
splits the proof tree into two branches, one in which the 
lemma can be used as an assumption, and another in which 
it must be proved. The cut-elimination theorem, states that 
any proof of the sequent calculus that uses the cut rule has 
another proof that does not use the cut rule. Ideas similar 
to Gentzen’s cut rule have been developed for other reason¬ 
ing frameworks. Craig interpolants [7] have been used to 
compute cuts in frameworks that leverage first-order logic, 
and they have been used successfully in a model checking 
framework m- The differential cut rule of d£ makes it 
possible to introduce lemmas about the continuous evolu¬ 
tion of differential equations. It has been shown that there 
are theorems that cannot be proved without differential cuts, 
i.e., the differential cut strictly adds deductive power [24] , 
Overall, the approach provides an iterative method to find a 






safety certificate, by proposing sets that are initialized and 
invariant, and repeating the differential cut procedure until 
safety can be proved. This work proposes a forward invari¬ 
ant cut rule, in which a lemma is proved about the evolution 
of a hybrid system model. The proof rule requires showing 
that a certain set is safe and invariant, and allows the proof 
to continue for the behaviors that are not initialized within 
the set. The forward invariant cut may be repeated, until 
a proof of overall system safety is attained. Most crucially, 
the proposed cuts allow the verification process to leverage 
a designer’s knowledge of local system properties. 

Deductive Proof System for Temporal Logic. In [8], 

the authors present a deductive proof system for proving 
alternating-time temporal logic assertions on a continuous 
dynamical system. Some of the proof rules presented require 
the user to provide auxilary predicates to establish proof- 
subgoals. These predicates are essentially logical cuts, and 
in particular can be barrier certificates. The key feature of 
our approach is that we provide an automated mechanism 
to leverage user insight about parts of the system to obtain 
localized forward invariant cuts. It would be interesting to 
see if the automation that we develop in this paper could be 
used to mechanize the proof system presented in [8]. 

Conclusions. This paper presents a method to leverage 
knowledge of local system behavior within a deductive frame¬ 
work. In this framework, designer knowledge of system be¬ 
havior can be leveraged lazily as part of a proof of global 
system safety. The designer proposes sets that are invariant 
and safe, which allows certifying the safety of some region of 
state space. In future work, we would like to investigate the 
use of sets that are safe, but not initialized or invariant, as 
part of a proof effort. An example of this is when a collec¬ 
tion of modes have continuous barriers that the differential 
equations may not cross, but the set is not invariant because 
there are outgoing transitions that are not excluded by the 
set. 
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APPENDIX 

Appendix 

A Semantics of d c 

We follow the development of [23], Chapter 2. Symbols 
in AC are classified into three different syntactic categories, 
depending on their role. 

1. S r represents a set of rigid symbols that cannot change 
their value, such as 0,1, +, •; 

2. E fi represents a set of flexible symbols, also called state 
variables, which change their value as the system evolves; 

3. V represents a set of logical variables, which do not 
change as the system evolves, but can be quantified 
over universally and existentially; they often serve the 
role of parameters. 

An interpretation is a function Z that associates functions 
and relations over the reals to function and relation sym¬ 
bols in Sr. The standard arithmetic operators and relations 
symbols, such as +, •, >, are interpreted as usual.A state is 
a map v : E/j H> R, which maps a real value to each state 
variable. An assignment p : V K > R is a map that prescribes 
the value of the logical variables. Note that the value of the 
logical variables does not depend on the state. 

A state variable is a term, and a logical variable is also a 
term. The result of applying a function of arity n to n terms 
is also a term. Nothing else is a term. 

Definition 1 (Valuation of terms ([23, Defn. 2.5)). The 
valuation of terms with respect to interpretation T, assign¬ 
ment r/, and state v is defined as 

1. valx, v {y,p ) = p(p) if p is a logical variable. 

2. valx, 7 ](y,x) = is(x) if x is a state variable. 

3. valx, v (r, f(9 1 ,... ,8 n )) = Z(f)(valx. v (8i), ■ ■ ■, valx, v (d 2 )) 
if f is a function of arity n > 0 and 9i,...,0„ are 
terms. 

The notation p[x i-^- d] represents the function that agrees 
with p except for the interpretation of x, where it takes the 
value d. The notation is[x i—>■ d] denotes the modification of 
a state is, that agrees with v everywhere except the inter¬ 
pretation of the state variable x, where it takes the value 
d. 

Definition 2 (Valuation of AC formulas ([23], Defn. 2.6). 

The valuation valx. v (is, ■) of formulas with respect to inter¬ 
pretation Z, assignment r/, and state v is defined as 

1. valx }V (is,p(9 i,. ..,9 n ) = I(p)(valx, v (is,9 1 ),... ,valx, v (is,9 n )) 

2. valx. v (v,4> A ip) = true iff valx, v (is,(j)) = true and 
valx 7V (is,ip) = true. 

3. valx, v {v,4> V if) = true iff valx. v (is,4>) = true or 
valx, v (v,if) = true. 

4- valx, v (v,-«f)) = true iff valx, v (is,(j)) ^ true. 

5. m/i, r| (^,^ —>• if) = true iff valx. v (is,4>) ^ true or 
valx,ri(is,ip) = true. 

6. valx, v (v,Wx(f)) = true iff valx,rn x ^ d] (is, ij>) = true for 
all d £ R. 

7. valx, v (y,Ax<j)) = true iff (is, (/>) = true for 

some d £ R. 


8. valx,r]{v, [a](f>) = true iff valx, v (to, ij>) = true for all 
states u> for which the transition relation (defined below) 
satisfies ( is, to ) £ px, v (ot). 

9. valx,r]{v, (a) 4>) = true iff valx, v (to, (j>) for some state 
io such that the transition relation satisfies (is, to) £ 

px, v {a). 

We now define the transition semantics of hybrid pro¬ 
grams. We already saw a glimpse of it in the definition 
of valuation of formulas, since the formulas and programs of 
AC are constructed coinductively. 

Definition 3 (Transition semantics of hybrid programs ([23], 
Defn. 2.7)). The valuation of a hybrid program a, denoted 
Px,rj(a) is a transition relation on states that specifies which 
states are reachable from a state v under the program a, and 
is defined inductively as follows. 

1. (is,to) £ px, v (xi := 9 1 ,...,x„ := 9 n ) iff the state to 
equals the state obtained by modification of v as v\x\ i—>■ 
vah^(v, 0i)],..., u[x„ i->- valx^(v, 9 n )\. 

2. (is,to) £ px,r,({x'\ « 9i,..., x' n = 9 n &oH}) iff there is a 
flow f of some duration r > 0 from is to to along the 
differential equations x\ = 9i,..., x' n = 8 n that always 
respects the invariant H. 

3. px,i;(?x) = {(^^) I valx, v (is,x) = true} 

4■ Pz,v(<* U /3) = px, v (a) U px,n(l3) 

5. px, v (a;P) = px, v (a) o px^(P) 

6. (is,to) £ px, v (a*) iff there is a sequence of states states 
iso,... ,is n with n > 0, is = iso, and is n = to such that 
(isi, isi+i) £ px, v (a) for each 0 < i < n — 1. 

B Soundness proof for forward invariant cut 

Fix an interpretation Z and an assignment tj. From seman¬ 
tics of the first premise, if is £ C and (is, to) £ px, v (a), then 
to £ C. From the semantics of the second premise, if to £ C, 
then to £ S From the semantics of the third premise, if is £ I 
and is C, and to is such that (is, to) £ px, v ((or, ?-> C)*), then 
to £ S. This is equivalent to saying that for any to such that 
there is a sequence of states i/q, ■ ■ ■ ,is n , with vq = is £ I 
and v n = to, n £ N, and (iSi,Ui + 1 ) € px,ri(u;'?~'C) for each 
0 < i < n — 1, it is the case that to £ S. 

The proof is to show by induction that any state reachable 
by a* from / in n > 0 executions of a must be contained in 
S. 

For the base case, let n = 0. Then given is £ I, the only 
reachable state by a sequence of length zero is is itself. If 
is £ C, then isinS by semantics of the second premise. If 
is cf C, we have that (is, is) £ pi,,,((a; ?->C)*) by a chain of 
'length zero, so that by semantics of the third premise, is £ S. 

As an inductive hypothesis, suppose that for every to reach¬ 
able by a chain of length n, to £ S (i.e., there exists isq, ..., is rl 
with iso = is and to = is n such that (iSi,iSi+\) £ pi,^(a), for 
0 < i < n — 1. Now choose any state ( such that there is a 
chain of length n+1, isq, ■ ■ ■, is n +i with iso = is and is n +i = £, 
such that (isi, i/;+i) £ Px,v(a), for 0 < i < n). 

First suppose that is n £ C. Then by semantics of the first 
premise, is n +i £ C, and then is n+ 1 £ S by semantics of the 
second premise. On the other hand, suppose is n $5 C. We 
claim that for all j < n, Vj (( C. To see this, note that 
if isj £ C for some j < n, then is n £ C by semantics of 
the first premise, which would contradict our assumption 
on is n . Then we have that (isi,isi+ 1 ) £ px,r t (a;'?->C) for all 


Table 1: Model Parameters for the Engine Fuel Con¬ 
trol System. 


Parameter 

Value 

Cl 

0.41328 

C2 

200.0 

C3 

-0.366 

c 4 

0.08979 

C5 

-0.0337 

C6 

0.0001 

C7 

2.821 

Cs 

-0.05231 

Cg 

0.10299 

CIO 

-0.00063 

Cll 

1.0 

Cl2 

14.7 

C13 

0.9 

Cl4 

0.4 

C15 

0.4 

Cl6 

1.0 

Ml 

23.0829 


0 < i < n. By semantics of the third premise, it follows that 
£ € S. This establishes the theorem. 

C System dynamics for the Engine Fuel Con¬ 
trol Model 

We now present the model parameters and the ODEs for 
the Engine Fuel Control model. Figure [4] details the equa¬ 
tions for the recovery mode, and Fig. [5]provides the dynamic 
equations for the normal mode. In the figures, = /p, 


= fr 


= fpest, and f = fi. 


dt ~ JPest ! dt 

We translate the system so that the origin coincides with 
the normal equilibrium point p ~ 0.8987, r = 1.0, p es t ~ 
1.077, i ~ 0.0 and call the translated variables p, f, p es t, 
and, i, respectively. 






C3 + C4C2P + C5C2P 2 + C6C2P \ 

Cl3(C3 + C4C2Pes t + C5C2f>esi + C6C%p ea t) ) 

fpest = Cl f 2Ui \j-^~ (^7) - C13 (c 3 + C4,C2Pest + C 5 C 2 Pe S t + C 6 c|?W) 

fi = 0 

Figure 4: System dynamics for the Engine Fuel Control System in the recovery mode. 



fp 

fr 

fPeat 


fi 



^ 1 1 '--I 1 

\ C 13 (c 3 + C 4 C 2 pLt + C5 C 2 pl st + C 6 clpest)( 1 


+ « + 




cis(r - cie) 


C13 (c3 + C4C2Pest + CsC2Pest + CeC^Pest) 


Figure 5: System dynamics for the Engine Fuel Control System in the normal mode. 



